feat: Technical review — Related website sets docs #30500
Conversation
chrisdavidmills
requested review from
sideshowbarker,
teoli2003 and
dipikabh
and removed request for
a team
github-actions
bot
added
Content:WebAPI
chrisdavidmills
changed the title
chrisdavidmills
removed request for
a team,
sideshowbarker,
teoli2003 and
dipikabh
OK, great. I've added the necessary Permissions Policy info back into the |
|
|
||
| > **Note:** The Chrome-only [related website sets](/en-US/docs/Web/API/Storage_Access_API/Related_website_sets) feature can be considered a progressive enhancement mechanism that works alongside the Storage Access API — supporting browsers grant default third-party cookie access between websites in the same set. This means not having to go through the usual user permission prompt workflow described above, meaning a more user-friendly experience for users of sites in the set. | ||
|
|
||
| ## Requesting storage access on behalf of a related domain |
There was a problem hiding this comment.
I think this title is incorrect. Or at least misleading.
AFAIK requestStorageAccess also allows use of related domains to skip the prompt in Chromium-based browsers. So it too can benefit from related domains, but this section only discusses requestStorageAccessFor.
What requestStorageAccessFor specifically allows is access at the top level document (i.e. not in embedded iframes) for images or other such directly embedded content. AFAIK that's only implemented for related domains (rather than also with prompts) so that's the ONLY way with this API at present.
So I think this title should be something like:
| ## Requesting storage access on behalf of a related domain | |
| ## Requesting storage access for resources in the top-level document |
Or somethign like that.
There was a problem hiding this comment.
Reading descriptions of the method in the spec and DCC, it sounds like both of our suggestions are potentially misleading.
It sounds like you are saying here that requestStorageAccessFor() is only for requesting storage access for directly embedded resources that could set cookies, like images in <img> elements, and not resources embedded in <iframe>s. But the above links seem to suggest that it can do both.
I'm therefore adding text to the SAA landing pages and method page to make this clear, and changing the heading to Requesting storage access from the top-level site on behalf of embedded resources. Does that sound OK, or have I got the wrong end of the stick here?
There was a problem hiding this comment.
That title works for me. Maybe @cfredric can review too just to be sure?
My main concern was the original title suggested you had to use requestStorageAccessFor when working with related domains but if I understand correctly you can continue to use requestStorageAccess if it's just for iframed content (and use the fact that they are related domains to avoid the prompt in supporting browsers like Chrome).
I do agree that it's odd that the d.c.c. link suggests requestStorageAccessFor is for "cross-site images or script tags requiring cookies" and the spec includes iframes ("embedded resources such as iframes, scripts, or images") too which seems a little inconsistent. But maybe d.c.c. wanted to avoid the confusion with Storage Access API so kept it to the simpler use cases?
There was a problem hiding this comment.
I ended up adding a description in the requestStorageAccessFor() method page and the "Using" guide along these lines:
requestStorageAccessFor()is intended to address challenges in adopting the Storage Access API on top-level sites that use cross-site images or scripts requiring cookies. It can enable third-party cookie access for cross-site resources embedded in {{htmlelement("iframe")}}s, and directly embedded e.g. via {{htmlelement("img")}}s or {{htmlelement("script")}} elements.
As I understand it, the method is for top-level pages to request storage access for their embedded content, whereas regular requestStorageAccess() has to be called from inside the embedded content, to request access for itself. In which case, I think the descriptions are now OK.
But, let me know what you think.
There was a problem hiding this comment.
That title works for me too.
Apologies for the confusion around the DCC page and the spec. My summary of things (in Chrome) would be:
requestStorageAccess()skips the prompt if both sites (top-level and embedded) are in the same RWS; otherwise may show a prompt. Expected to be called in an embedded iframe. Intended for cross-site iframes that have their own logic and resources and need cookies.requestStorageAccessFor(origin)resolves and grants permission if both sites (the top-level andorigin) are in the same RWS; otherwise rejects. Never shows a prompt. Must be called by the top-level document. Intended for cross-site resources (not necessarily iframes) that need cookies, but can't callrequestStorageAccess()themselves.
Specifically about rSAFor and iframes: the "top-level-storage-access" permission only helps for resources that are loaded by the top-level document. I.e., any cross-site subresources that are loaded within an embedded iframe won't benefit; that iframe should use requestStorageAccess() instead. However, if the iframe source itself is cross-site and can only be loaded by authorized users (i.e. the iframe's load needs cookies), then the top-level document can use requestStorageAccessFor(origin) and the load the iframe with CORS to attach the cross-site cookies to the request.
I think the requestStorageAccessFor spec is in need of some updates as things have changed in the Storage Access API in the last few months; I'll put that on my team's todo list.
There was a problem hiding this comment.
That makes sense to me! I thought it might be for the iframe needing access to even load case.
|
|
||
| In the above code, we call `navigator.permissions.query({name: 'top-level-storage-access', requestedOrigin: 'https://example.com'})` To discover if the user will be prompted or if storage access has already been granted to the specified origin. | ||
|
|
||
| - If the permission status is `"granted"` we call `document.requestStorageAccessFor('https://example.com')`, which should succeed without a user gesture. |
There was a problem hiding this comment.
| - If the permission status is `"granted"` we call `document.requestStorageAccessFor('https://example.com')`, which should succeed without a user gesture. | |
| - If the permission status is `"granted"`, we can immediately use cross-site cookies in CORS-enabled requests. |
There was a problem hiding this comment.
Is this correct? For SAA we still need to call requestStorageAccess if the page is the granted state.
There was a problem hiding this comment.
Yes, I wrote what I meant to here :)
For requestStorageAccess(), the reason Chrome requires the iframe to always call rSA (even if permission has already been granted) is to protect the iframe from a CSRF attack. The iframe has to actively choose to include its cross-site cookies in requests, even if some other frame (elsewhere on the page, or on some other page within the last month) has already gotten the requisite permission. The call to rSA is treated as an active "opt-in" that indicates this specific iframe is ok with including cross-site cookies in its fetches.
For requestStorageAccessFor(origin), the "active opt-in" from the 3p site comes in the form of the server's CORS support. If the server doesn't want to honor the cross-site requests, it can use CORS headers (or lack thereof) to protect itself. (Regarding an opt-in from the 1p site, that's less important from a security perspective, but it's still there. It comes in the form of ensuring the top-level document's subresource request uses CORS mode. Without CORS mode, the "top-level-storage-access" doesn't apply, so cross-site cookies wouldn't be attached to the request.)
There was a problem hiding this comment.
OK. The fun of similar, but different, APIs! I presume requestStorageAccessFor(origin) is only needed for the first usage to set that to granted? After that it remembers it for the period (30 days?) and doesn't require re-requesting?
In which case, @chrisdavidmills on the line above you say:
In the above code, we call
navigator.permissions.query({name: 'top-level-storage-access', requestedOrigin: 'https://example.com'})To discover if the user will be prompted or if storage access has already been granted to the specified origin.
But there are no prompts with this API if I understand correctly, so I think this should be:
In the above code, we call
navigator.permissions.query({name: 'top-level-storage-access', requestedOrigin: 'https://example.com'})to discover if the page has previously calledrequestStorageAccessFor()and thereby granted permission, of if this call needs to be made to grant this access.
Or something like that.
Is that correct @cfredric ?
There was a problem hiding this comment.
@tunetheweb Yup, I agree with that rephrasing. (And you're correct about the first usage and the permission's lifetime (30 days))
There was a problem hiding this comment.
I've ended up rehrasing this again slightly this morning. The final text I came up with was:
In the above code, we call
navigator.permissions.query({name: 'top-level-storage-access', requestedOrigin: 'https://example.com'})to discover if the origin has previously been granted permission, or if cookie access still needs to be requested.
- If the permission status is
"granted"we can just start using cookies;requestStorageAccessFor()was already called so there is no need to call it again.- If the permission status is
"prompt"we need to calldocument.requestStorageAccessFor('https://example.com')call from within a user gesture, such as a button click.
Co-authored-by: Chris Fredrickson <[email protected]>
Co-authored-by: Chris Fredrickson <[email protected]>
Co-authored-by: Chris Fredrickson <[email protected]>
Co-authored-by: Chris Fredrickson <[email protected]>
Co-authored-by: Chris Fredrickson <[email protected]>
Co-authored-by: Chris Fredrickson <[email protected]>
|
@cfredric In light of latest comments and now understanding behavior better, I tinkered with some of the wording a bit more ;-) |
|
@cfredric @tunetheweb OK, looks like you are both happy with the content's technical accuracy. Thanks a lot for the review work. The next stage is to close this PR, and open a new one based on the same branch to contain the editorial review. If you find anything else that desparately needs changing, you can always bring it up in the editorial PR. |
Note: This technical review is now completed and approved. For the follow-on editorial review, see #30654.
Description
Related website sets is a part of Chrome's privacy sandbox project. It provides progressive enhancement for The Storage Access API, allowing the definition of a set of related, trusted sites that can receive automatic permission to access third party cookies originating from the set.
This PR aims to do the following:
Document.requestStorageAccessFor()method and add mentions and links in appropriate placestop-level-storage-accesspermission feature name specific torequestStorageAccessFor(), and make sure thestorage-accessfeature is marked as supported in Fx.Notes/questions
api.Document.requestStorageAccessForto mention that the sites involved have to be in the same RWS for it to worktop-level-storage-accessfeature name toapi.PermissionsPermissions-Policyintegration, with a feature name ofstorage-accessfor both. However, on therequestStorageAccessFor()spec it only talks about Permissions API integration, with a feature name oftop-level-storage-access. Does this mean thatrequestStorageAccessFor()is not controlled by Permissions-Policy, or does it mean that it is, but it is controlled bystorage-accesspermissions policies, like the rest of the SAA? I've currently written my docs as if the former is true, but I cna easily update this if it turns out to be wrong.Motivation
Additional details
Related issues and pull requests